I would like to create a compliance rule for user rights policy such as "Change time zone". Policy defines there are only a few permitted entries. For example BUILTIN\Administrators and NT AUTHORITY\LOCAL SERVICE.

I have brought in the "Change time zone" user rights policy as a part and used both the effective and local setting and tried both list of string values and string value. In my case these are the same. When testing this rule, the output on the left looks like this:

"NT AUTHORITY\LOCAL SERVICE,BUILTIN\Administrators"

If use "equals" operator, it will return non compliant because sometimes the order is different from above or a server may have one and not the other. "Is one of" also produces similar results.

"Contains" operator will return a compliant result when I create a rule for each entry; however, will still return compliant if another invalid entry was present. I would like to see if there an operator or perhaps different logic I can use that will give me the desired result before scripting this out.

"NT AUTHORITY\LOCAL SERVICE,BUILTIN\Administrators" break this into two and then use "equal" operator. whats stopping you doing this way. My thinking may sound naive. Currently I have no access to BSA, will try to figure out this in a better way in couple of days.

I ended up dropping the Server Object part and creating an extended object that translates the comma to a return. (like Monoj Padhy and Joe Piotrowski suggested) this way I can use equals and check for each value like this:

= null (or)

= NT AUTHORITY\LOCAL SERVICE (or)

= BUILTIN\Administrators

to extended or add users it would be matter of adding a line instead of rewriting the rule:

+ (or)

= newuser

Not much difference, but it does solve the issue of multiple values being seen as a single value. I was hoping this was possible using the server objects parts but time to move on.